Академический Документы
Профессиональный Документы
Культура Документы
Introduction
RSA Smart Card Middleware 3.6 consists of a smart card module based on:
• The Microsoft Smart Card Minidriver specification
• An implementation of the Public Key Cryptographic Standard #11 (PKCS #11)
Application Programming Interface (API) documented in the PKCS #11 v2.20:
Cryptographic Token Interface Standard
PKCS #11 specifies an API called Cryptoki. It interacts with devices that hold
cryptographic information and perform cryptographic functions. Middleware also
contains PKCS #11 mechanisms that allow you to read one-time passwords from
hardware tokens through a software program. These mechanisms are documented in
PKCS #11 v2.20 Amendment 1 PKCS #11 Mechanisms for One-Time Password
Tokens.
This document lists the functions and mechanisms supported by Middleware for you
to develop applications that exchange information with the smart card portion of the
RSA SecurID 800 Authenticator (SecurID 800). For more information on PKCS #11
standards, see the documents listed in the PKCS #11: Cryptographic Token
Interface Standard.
Note: This guide does not contain information for developers who want to write
applications that use the Microsoft Smart Card Minidriver communication path to a
cryptographic token (applications that use Microsoft Cryptographic Application
Programming Interface [CAPI]). For information on writing applications that use the
CAPI, see the Microsoft Developer Network site.
Preliminary 1
PKCS #11 Developer Guide for RSA Smart Card Middleware 3.6
System Requirements
The following table lists the system requirements for RSA Smart Card Middleware, as
well as the supported smart cards.
For more details on requirements, see the Installation and Administration Guide.
2 PKCS #11 Developer Guide for RSA Smart Card Middleware 3.6
PKCS #11 Developer Guide for RSA Smart Card Middleware 3.6
Installation
The installation requires 110 MB of disk space. You must have administrator
privileges on the local computer. The installation program installs the Middleware into
the destination folder.
You can install Middleware on a single computer or multiple computers. For example,
you can run the Windows Installer (MSI) file, RSA Smart Card Middleware
3.6.msi, to install the product on a single computer. For a large-scale deployment to
multiple computers, you must provide account privileges to the appropriate users.
Then deploy Middleware using Microsoft Systems Management Server (SMS) or
another third-party product, such as Tivoli. Or, you can use a command line
installation. For details on installing Middleware, see the Installation and
Administration Guide.
Note: You must separately copy header files containing definitions and data structures
for creating applications. For more information, see the following section,
“Application Development.”
Application Development
RSA Smart Card Middleware was developed using Microsoft Visual C++ 2008. One
component of the Middleware is a PKCS #11 module that is provided as a Dynamic
Link Library (DLL). You can develop an application that communicates with
SecurID 800 authenticators through the PKCS #11 module.
You need the following files to write applications that interact with SecurID 800
authenticators:
• PKCS #11 Dynamic Link Library (pkcs11.dll). Installing Middleware installs this
DLL into the destination directory, usually C:\Program Files\Common
Files\RSA shared\RSA P11.
• Header files containing definitions and data structures for creating applications.
These files are not part of the Middleware installation. Copy them separately from
the APIs\PKCS 11 Support folder on the Middleware CD:
– cryptoki.h
– otp-pkcs11.h
– pkcs11.h
– pkcs11f.h
– pkcs11t.h
– pkcs11t_securid.h
The following sections provide details on the implementation. They contain
information on the PKCS #11 functions, supported objects, and cryptographic
mechanisms.
PKCS #11 Developer Guide for RSA Smart Card Middleware 3.6 3
PKCS #11 Developer Guide for RSA Smart Card Middleware 3.6
Supported Functions
RSA Smart Card Middleware supports the following functions from the PKCS #11
library. For more information, see the PKCS #11: Cryptographic Token Interface
Standard.
C_Finalize
C_GetInfo
C_GetFunctionList
C_GetSlotInfo
C_WaitForSlotEvent
C_GetTokenInfo
C_GetMechanismList
C_GetMechanismInfo
C_InitToken
C_InitPIN
C_SetPIN
C_CloseSession
C_CloseAllSessions
C_GetSessionInfo
C_Login
C_Logout
Note: If you log on to a token session as a security officer (user type CKU_SO), use the PIN
Unblock Key (PUK) as the PIN for your SecurID 800 authenticator. The PUK appears in the
XML file that came with the authenticator. It is displayed as an ANSI string of hex values
(usually 16 characters long). When you use the PUK as a PIN, you must convert the hex
representation into a binary array. Every two characters of the hex representation translate
into a single byte. Therefore, a PUK that is 16 characters long in the hex form converts to a
binary array that is eight bytes long.
4 PKCS #11 Developer Guide for RSA Smart Card Middleware 3.6
PKCS #11 Developer Guide for RSA Smart Card Middleware 3.6
C_DestroyObject
C_GetAttributeValue
C_SetAttributeValue
C_FindObjectsInit
C_FindObjects
C_FindObjectsFinal
Encryption C_EncryptInit
C_Encrypt
C_EncryptUpdate
C_EncryptFinal
Decryption C_DecryptInit
C_Decrypt
C_DecryptUpdate
C_DecryptFinal
C_Digest
C_DigestUpdate
C_DigestFinal
C_Sign
C_GenerateKeyPair
C_UnwrapKey
C_GenerateRandom
PKCS #11 Developer Guide for RSA Smart Card Middleware 3.6 5
PKCS #11 Developer Guide for RSA Smart Card Middleware 3.6
Supported Objects
RSA Smart Card Middleware supports the following objects:
• Data (CKO_DATA)
• Certificate (CKO_CERTIFICATE)
• Public key (CKO_PUBLIC_KEY)
• Private key (CKO_PRIVATE_KEY)
• Secret key (CKO_SECRET_KEY)
• One-time password key (CKO_OTP_KEY)
The following sections provide implementation details of PKCS #11 objects specific
to RSA Smart Card Middleware 3.6. For more information on the PKCS #11 standard,
see the PKCS #11 v2.20: Cryptographic Token Interface Standard document.
Note: Even though the following sections define some attributes as “read only,” the
PKCS #11 module does not return an error if you specify attributes in your template
with values that correspond to the ones listed in this document. For example, the
following “Certificate Object” section lists CKA_TRUSTED as a read-only attribute
always set to CK_FALSE. If your template for a certificate object includes
CKA_TRUSTED set to CK_FALSE, an error is not returned to the application.
Data Object
The Data (CKO_DATA) object supports all the attributes listed in the PKCS #11
standard.
Certificate Object
Allowed value of CKA_CERTIFICATE_TYPE: CKC_X_509.
Read-Only Attributes:
• CKA_PRIVATE is always CK_FALSE.
• CKA_TRUSTED is always CK_FALSE.
• CKA_CERTIFICATE_CATEGORY is always 0.
• CKA_START_DATE is always empty.
• CKA_END_DATE is always empty.
• CKA_ISSUER is always equal to the DER-encoding of the certificate issuer name
extracted from the CKA_VALUE (BER-encoding of the certificate).
• CKA_SERIAL_NUMBER is always equal to the DER-encoding of the certificate
serial number extracted from the CKA_VALUE (BER-encoding of the
certificate).
• CKA_URL is always empty.
• CKA_HASH_OF_SUBJECT_PUBLIC_KEY is always empty.
6 PKCS #11 Developer Guide for RSA Smart Card Middleware 3.6
PKCS #11 Developer Guide for RSA Smart Card Middleware 3.6
Notes:
• If you use a smart card in the Middleware 3.x format, you can specify a
CKA_SUBJECT that is different from the one embedded in the certificate object.
If you use a smart card in the Middleware 2.x format, you must specify a
CKA_SUBJECT that is identical to the CKA_SUBJECT embedded in the
certificate object.
• If you use a smart card in the Middleware 3.x format and it has certificates with
CKA_SUBJECTS that are different from the ones embedded in the certificates,
the certificates lose the subjects if you convert the smart card to the Middleware
2.x format. After the conversion, only the CKA_SUBJECTS embedded in the
certificate will be available.
Note: Unless the CKA_ID value is specified in the template used when
C_GenerateKeyPair() is called, the value of CKA_ID will be set to the SHA-1 hash of
the value of the modulus of the public key. In this case, PKCS #11 generates a unique
CKA_ID and sets it the same between the generated public and private keys.
Otherwise, the CKA_ID value is the value specified in the template.
PKCS #11 Developer Guide for RSA Smart Card Middleware 3.6 7
PKCS #11 Developer Guide for RSA Smart Card Middleware 3.6
Notes:
• Unless the CKA_ID value is specified in the template used when
C_GenerateKeyPair() is called, the value of CKA_ID will be set to the SHA-1
hash of the value of the modulus of the public key. In this case, PKCS #11
generates a unique CKA_ID and sets it the same between the generated public and
private keys. Otherwise, the CKA_ID value is the value specified in the template.
• When creating a private key using C_CreateObject, specify all the attributes listed
in “Table 36, RSA Private Key Object Attributes” in the PKCS #11 v2.20:
Cryptographic Token Interface Standard document.
8 PKCS #11 Developer Guide for RSA Smart Card Middleware 3.6
PKCS #11 Developer Guide for RSA Smart Card Middleware 3.6
PKCS #11 Developer Guide for RSA Smart Card Middleware 3.6 9
PKCS #11 Developer Guide for RSA Smart Card Middleware 3.6
10 PKCS #11 Developer Guide for RSA Smart Card Middleware 3.6
PKCS #11 Developer Guide for RSA Smart Card Middleware 3.6
PKCS #11 Developer Guide for RSA Smart Card Middleware 3.6 11
PKCS #11 Developer Guide for RSA Smart Card Middleware 3.6
Cryptographic Mechanisms
RSA Smart Card Middleware supports the following Cryptoki mechanisms for
cryptographic operations. For more information, see the PKCS #11 v2.20:
Cryptographic Token Interface Standard.
Type Mechanism
CKM_AES_CBC_PAD
CKM_DES3_CBC
CKM_DES3_CBC_PAD
CKM_RSA_PKCS_OAEP
CKM_RSA_X_509
CKM_AES_CBC_PAD
CKM_DES3_CBC
CKM_DES3_CBC_PAD
CKM_SHA_1
CKM_SHA256
CKM_RSA_X_509
CKM_SECURID
CKM_DES3_KEY_GEN
CKM_RSA_PKCS_OAEP
CKM_RSA_X_509
12 PKCS #11 Developer Guide for RSA Smart Card Middleware 3.6
PKCS #11 Developer Guide for RSA Smart Card Middleware 3.6
Trademarks
RSA, the RSA logo and EMC are either registered trademarks or trademarks of EMC Corporation (“EMC”) in the
United States and/or other countries. All other trademarks used herein are the property of their respective owners.
© 2008–2012 EMC Corporation. All rights reserved.
First Printing: September 2008
Revised: October 2012
PKCS #11 Developer Guide for RSA Smart Card Middleware 3.6 13